Network-based content distribution system

ABSTRACT

A method and system for transferring electronic media information over a public network in such a way as to provide safeguards for inappropriate distribution of copyright or otherwise protected materials are described. The media information is transparently watermarked with a unique ID, such as one generated from X.509 Digital Certificate and public-key cryptography public/private key pairs, such that the information can be identified as belonging to a particular individual. A system and method for monitoring the movement of such watermarked files, positively identifying people who have inappropriately distributed copyright materials over a public network without permission, and taking appropriate enforcement action against such people.

RELATED APPLICATION

The present application is a Continuation of co-pending U.S. applicationSer. No. 09/789,298 filed on Feb. 20, 2001, which claims the benefit ofU.S. Provisional Application No. 60/250,445 filed on Nov. 30, 2000, U.S.Provisional Application No. 60/223,128 filed on Aug. 7, 2000, U.S.Provisional Application No. 60/209,506 filed on Jun. 5, 2000, and U.S.Provisional Application No. 60/183,638 filed on Feb. 18, 2000, and whichis a continuation of U.S. application Ser. No. 09/782,707 filed on Feb.12, 2001 (abandoned), and the contents of each of the aforementionedprior applications is incorporated herein by reference in its entirety.

BACKGROUND

1. Field of the Invention

The present invention relates to the field of electronic media filecontent distribution. Additionally, the invention relates to embeddingunique electronic signature information, referred to as watermarks, andinserting these watermarks into an electronic media file to facilitatethe authentication of the person responsible for the file.

2. Related Art

The use of the Internet and the World Wide Web as tools for contentdelivery and e-commerce has increased dramatically in recent years. As aconsequence, the delivery of electronic media content materials such asmusic, videos, software, books, multi-media presentations, images, andother electronic media over a network to one or more consumers haslikewise increased dramatically. Users may download such electronicmedia files legitimately from a content provider, for example a recordlabel such as Sony Records or Capitol Records, or inappropriately fromone of the content download services without the permission of thecopyright owner. Using a network such as the Internet, users may, andquite frequently do, transfer digital media files they have downloaded,whether legitimately or otherwise, to others.

In this way, consumers of electronic media information may simply andfreely distribute such media information over a public network such asthe Internet without the permission of the copyright owner (or otherproperty rights owners). Such consumers who inappropriately distributecopyright material over public networks cannot currently be positivelyidentified, if they can even be tracked down at all. Therefore, theseconsumers can quite often successfully deny culpability.

A prevalent concern within the media publishing and/or distributionbusiness is that the supply vs. demand equation that drives theeconomics of valuable goods and services no longer applies to digitalmedia. Since a digital media file such as a music or movie file can beduplicated essentially an unlimited number of times and distributed atvirtually no cost, the economics for providing such digital materials tothe public is not viable. In order to return the supply versus demandequation back to the digital media domain, individual digital mediafiles must be configured in such a way as to give them propertiessimilar to physical objects. With such physical properties, these filescan be handled and monitored in ways that are similar to physicalobjects, thus allowing the return of the necessary economic incentivesand viability.

To date, there have been various approaches to solving the problemsassociated with the management, control and distribution of digitalmedia files. Most of these approaches focus on protecting digital mediafiles in such a way as to limit the functionality of such files whenoutside of the domain that has been pre-approved by the authorizeddistributor of such media. An example is found in the distribution ofencrypted digital information along with an encryption key that willonly decrypt the information under a limited number of circumstances.

Although encryption schemes have provided solutions to other problemsinvolving digital media content, it is not the preeminent answer to theproblem of identifying and monitoring content files. For example,encryption schemes provide an unsatisfactory solution for digital mediafor the following reasons:

1) Encryption schemes are often targets for many hackers, and it istypically only a matter of time before decryption algorithms will bediscovered and published on a wide scale.

2) The market is overwhelmed with a number of encryption schemes.Therefore, no single standard is likely to be adopted and enforced.

3) Encryption adds a great deal of expense to the distribution ofdigital media. In some cases, this extra expense may make the differencebetween profitable and unprofitable distribution.

4) Encryption adds a layer of complexity for the consumer that will mostlikely result in lower consumer satisfaction.

5) Popular media sharing facilities, for example Napster, have educatedtens of millions of consumers about the ease with which media files canbe transferred. It may in fact be too late to successfully change theaccepted model for electronic media distribution.

Consumers might possibly have embraced encryption of digital media fileshad it been introduced on a large scale before the Napster file-sharingmodel. Consumers generally will learn to accept models that add a levelof complexity if these models are in fact the only models available.However, the complexities that content distributors would like tointroduce into the market with encryption will arrive after the superiormodel has been introduced. This will likely result in media content fileprotection schemes such as encryption and copy protection disappearingover time.

SUMMARY

The solution to the numerous problems confronting the rights owners ofdigital media is, therefore, not simply an issue of adding encryption.It is more accurately an issue of uniquely marking and identifyingdigital media files with authenticated information from a trustedauthority and making business decisions that will maximize the potentialreturn-on-investment for such files. Therefore, there is a need in theelectronic media content distribution field to be able to mark contentfiles with an authenticated digital signature that uniquely identifiesthe person who is the source, to be able to monitor the files if theyare transferred to others, and to have these capabilities while imposingminimal burden and inconvenience on the consumer.

One aspect of this system relates to a system for network-based contentdistribution. The system includes an interface module configured tointerface with a network. A transaction module is coupled to theinterface module and configured to initialize a transaction with theuser, authenticate the identity of a user, obtain a digital certificaterelated to said user, search for content desired by said user, implementa payment transaction with the user, generate a watermark related tosaid user and transfer content to said user, and insert said watermarkinto said content. A transaction database is configured to storeinformation related to transactions carried out by the transactionmodule. An archive database is configured to store content selected byusers. A certification authority is configured to authenticate users andissue digital certificates.

Another aspect of the invention relates to a method for distributingcontent over a network. The method includes initiating a transactionwith the user. The digital certificate of the user is thenauthenticated. The user is allowed to search for and select content tobe downloaded. A watermark is generated by the system which relates tothe content to be downloaded, the source of the content and the identityof the user. The watermark is inserted into the content prior to itsdownloading to the user.

Another aspect of the invention relates to a method for verifying,searching for and identifying content accessible over a network. Themethod includes identifying files which are accessible over the network.For each such identified file, the file is searched to determine whetherit includes a watermark which is related to the source of the contentand the identification of the authorized user of the content. The methodthen involves determining whether the present location of the contentwith the watermark is an authorized location.

Other features and advantages of the present invention will become morereadily apparent to those of ordinary skill in the art after reviewingthe following detailed description and accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The details of the present invention, both as to its structure andoperation, may be gleaned in part by study of the accompanying drawings,in which like reference numerals refer to like parts, and in which:

FIG. 1 illustrates a typical network configuration in which thisinvention may operate.

FIG. 2 is a block diagram of an example of a system overviewarchitecture.

FIG. 3 is a flowchart of a process of conducting a media contenttransaction.

FIG. 4 is a diagram of a typical watermark.

FIG. 5 is a flowchart of a process of embedding a watermark in mediacontent data.

FIG. 6 is a block diagram of a content distribution system and customersite.

FIG. 7 is a block diagram of a content distribution system and customersite.

DETAILED DESCRIPTION

Certain embodiments as disclosed herein provide for a method and systemfor distributing content over a network.

After reading this description it will become apparent to one skilled inthe art how to implement the invention in various alternativeembodiments and alternative applications. However, although variousembodiments of the present invention are described herein, it isunderstood that these embodiments are presented by way of example only,and not limitation. As such, this detailed description of variousalternative embodiments should not be construed to limit the scope orbreadth of the present invention as set forth in the appended claims.

The following discussion provides a number of useful definitions ofterms used in describing embodiments of the disclosed invention.

As used herein, the terms “network” and “Internet” refer to a network orcombination of networks spanning any geographical area, such as a localarea network, wide area network, regional network, national network,and/or global network. Those terms may refer to hardwire networks,wireless networks, or a combination of hardwire and wireless networks.Hardwire networks may include, for example, fiber optic lines, cablelines, ISDN lines, copper lines, etc. Wireless networks may include, forexample, cellular systems, personal communication services (PCS)systems, satellite communication systems, packet radio systems, andmobile broadband systems. A cellular system may use, for example, codedivision multiple access (CDMA), time division multiple access (TDMA),personal digital phone (PDC), Global System Mobile (GSM), or frequencydivision multiple access (FDMA), among others.

As used herein, a VPN is a secure and encrypted communications linkbetween nodes on the Internet, a Wide Area Network (WAN), or anIntranet. These nodes can communicate with each other, however, it isvirtually impossible for a hacker to either comprehend the meaning ofthe signals or send signals that are believed to be authentic. Onesecure communications technology that is designed to facilitate a VPN isSecure Sockets Layer (or SSL). Other secure communications technologiescan be used as well. It is not a requirement that a VPN be a privatenetwork such as SITA, the international network for airlinereservations.

As used herein, a VPN provider refers to software, hardware, or boththat secure an audio/video conferencing session in such a way as tominimize the possibility that it can altered or inappropriately viewedor transmitted. A VPN can operate between a number of internet-enableddevices, for example, a VPN can run on two PCs that are connectedtogether using well known security technologies. In another embodiment,a VPN can operate between a PC and a Web Site using securitytechnologies. In yet another embodiment, a VPN can additionally operatebetween many PCs and/or many Web Sites. Hand-held devices, mobilephones, and web-enabled TV sets can be used as client devices instead ofPCs as part of the VPN as well.

As used herein, the term “website” refers to one or more interrelatedweb page files and other files and programs on one or more web servers,the files and programs being accessible over a computer network, such asthe Internet, by sending a hypertext transfer protocol (HTTP) requestspecifying a uniform resource locator (URL) that identifies the locationof one of said web page files, wherein the files and programs are owned,managed or authorized by a single business entity. Such files andprograms can include, for example, hypertext markup language (HTML)files, common gateway interface (CGI) files, and Java applications. Theweb page files preferably include a home page file that corresponds to ahome page of the website. The home page can serve as a gateway or accesspoint to the remaining files and programs contained within the website.In one embodiment, all of the files and programs are located under, andaccessible within, the same network domain as the home page file.Alternatively, the files and programs can be located and accessiblethrough several different network domains.

As used herein, a “web page” comprises that which is presented by astandard web browser in response to an http request specifying the URLby which the web page file is identified. A web page can include, forexample, text, images, sound, video, and animation.

As used herein, “content file”, “media content file” and “content data”refer to the delivery of electronic media content materials such asmusic, videos, software, books, multi-media presentations, images, andother electronic data, for example over a network to one or moreconsumers. Content data will typically be in the form of computer filesfor video, audio, program, data and other multimedia type content aswell as actual physical copies of valuable content, for example CD-ROM,DVD, VCR, Audio, TV or radio broadcasted, streaming audio and video overnetworks, or other forms of embodying such information. The terms“content file”, “media content file” and “content data” are usedinterchangeably herein.

As used herein, “consumer” and “user” refer to a person that seeks totransfer or download media content files, for example from a contentprovider or distributor. The terms “consumer” and “user” are usedinterchangeably herein.

As used herein, a computer, may be any microprocessor or processorcontrolled device that permits access to the Internet, includingterminal devices, such as personal computers, workstations, servers,clients, mini computers, main-frame computers, laptop computers, anetwork of individual computers, mobile computers, palm-top computers,hand-held computers, set top boxes for a television, other types ofweb-enabled televisions, interactive kiosks, personal digitalassistants, interactive or web-enabled wireless communications devices,mobile web browsers, or a combination thereof. The computers may furtherpossess one or more input devices such as a keyboard, mouse, touch pad,joystick, pen-input-pad, and the like. The computers may also possess anoutput device, such as a screen or other visual conveyance means and aspeaker or other type of audio conveyance means.

These computers may be uni processor or multi processor machines.Additionally, these computers include an addressable storage medium orcomputer accessible medium, such as random access memory (RAM), anelectronically erasable programmable read-only memory (EEPROM),programmable read-only memory (PROM), erasable programmable read-onlymemory (EPROM), hard disks, floppy disks, laser disk players, digitalvideo devices, compact disks, video tapes, audio tapes, magneticrecording tracks, electronic networks, and other techniques to transmitor store electronic content such as, by way of example, programs anddata. In one embodiment, the computers are equipped with a networkcommunication device such a network interface card, a modem, or othernetwork connection device suitable for connecting to the communicationnetwork. Furthermore, the computers execute an appropriate operatingsystem such as Linux, Unix, Microsoft® Windows® 95, Microsoft® Windows®98, Microsoft® Windows® NT, Apple® MacOS®, or IBM® OS/2®. As isconventional, the appropriate operating system includes a communicationsprotocol implementation which handles all incoming and outgoing messagetraffic passed over the Internet. In other embodiments, while theoperating system may differ depending on the type of computer, theoperating system will continue to provide the appropriate communicationsprotocols necessary to establish communication links with the Internet.

The computers may advantageously contain program logic, or othersubstrate configuration representing data and instructions, which causethe computer to operate in a specific and predefined manner as describedherein. In one embodiment, the program logic may advantageously beimplemented as one or more object frameworks or modules. These modulesmay advantageously be configured to reside on the addressable storagemedium and configured to execute on one or more processors. The modulesinclude, but are not limited to, software or hardware components thatperform certain tasks. Thus, a module may include, by way of example,components, such as, software components, object-oriented softwarecomponents, class components and task components, processes, functions,attributes, procedures, subroutines, segments of program code, drivers,firmware, microcode, circuitry, data, databases, data structures,tables, arrays, and variables.

The various components of the system may advantageously communicate witheach other and other components comprising the respective computersthrough mechanisms such as, by way of example, interprocesscommunication, remote procedure call, distributed object interfaces, andother various program interfaces. Furthermore, the functionalityprovided for in the components, modules, and databases may be combinedinto fewer components, modules, or databases or further separated intoadditional components, modules, or databases. Additionally, thecomponents, modules, and databases may advantageously be implemented toexecute on one or more computers. In another embodiment, some of thecomponents, modules, and databases may be implemented to execute on oneor more computers external to the web site. In this instance, the website includes program logic, which enables the web site to communicatewith the externally implemented components, modules, and databases toperform the functions as disclosed herein.

As used herein, the term “consumer ID” refers to a positive digitalidentification of the user, computer, or player device owned by a personwho downloads content, has access to content download systems, or canaccess the systems described in this patent. A positive digitalidentification may be any one or a plurality of the following: anindividual's digital certificate, a digital certificate or digitalcertificate serial number digitally signed using the user's private key,a transactional ID digitally signed using a user's private key that canbe verified via the user's public key, the serial numbers of computersor player devices owned by or registered to a user, a message receivedby a system containing verified biometrics data (fingerprint, facerecognition, eye/retina recognition, voice recognition etc.), or otherlegally recognizable means to identify an individual.

As used herein, the term “digitally signing” includes thecryptographically standard process of using a private key to generate amessage or message hash/digest that when decrypted using a public keyvalidates that the message was generated using an individual's privatekey.

As used herein, the term “authentication” refers to making it possiblefor the receiver of a message or file to ascertain its origin, so thatan intruder should not be able to masquerade as someone else.

As used herein, the term “integrity” refers to making it possible forthe receiver of a message or file to verify that it has not beenmodified in transit, so that an intruder should not be able tosubstitute a false message for a legitimate one.

As used herein, the term “non-repudiation” refers to minimizing thepossibility of a sender being able to falsely deny later that heparticipated in communications activities.

Additionally, this patent relates to new electronic signature lawspassed in the US and Europe and soon to be passed in Japan. In late Juneof 2000, President Clinton signed the “Electronic Signatures in Globaland National Commerce Act”, or “E-Sign Bill”. This bill puts the forceof national law behind electronic signature transactions.

FIG. 1 illustrates a representative network configuration 100 in whichthis invention may be implemented. However, various other types ofelectronic devices communicating in a networked environment may also beused. A user 102, which may be a consumer or any other recipient ofcontent files, communicates with a computing environment, which mayinclude multiple server computers 108 or a single server computer 110 ina client/server relationship on a network communication medium 116. In atypical client/server environment, each of the server computers 108, 110may include a server program that communicates with a client device 115,which may be a personal computer (PC), a hand-held electronic device, amobile or cellular phone, a TV set or any number of other electronicdevices.

The server computers 108, 110, and the client device 115 may each haveany conventional general purpose single- or multi-chip microprocessor,for example a Pentium® processor, a Pentium® Pro processor, a 8051processor, a MIPS® processor, a Power PC® processor, an ALPHA® processoror any other processor. In addition, the microprocessor may be anyconventional special purpose microprocessor such as a digital signalprocessor or a graphics processor. Additionally, the server computers108, 110 and the client device 115 may be desktop, server, portable,hand-held, set-top, or any other desired type of device. Furthermore,the server computers 108, 110 and the client device 115 each may be usedin connection with various operating systems, including, for example,UNIX, LINUX, Disk Operating System (DOS), VxWorks, PalmOS, OS/2, Windows3.X, Windows 95, Windows 98, and Windows NT.

The server computers 108, 110 and the client device 115 may each includea network terminal equipped with a video display, keyboard and pointingdevice. In one embodiment of the network configuration 100, the clientdevice 115 includes a network browser 120 used to access the servercomputer 110. The network browser 120 may be, for example, MicrosoftInternet Explorer or Netscape Navigator.

The user 102 at the client device 115 may utilize the browser 120 toremotely access the server program using a keyboard and/or pointingdevice and a visual display, such as a monitor 118. Although FIG. 1shows only one client device 115, the network configuration 100 mayinclude any number of client devices.

The network 116 may be any type of electronic transmission medium, forexample, including but not limited to the following networks: a virtualprivate network (hereinafter VPN), a public Internet, a privateInternet, a secure Internet, a private network, a public network, avalue-added network, an intranet, or a wireless gateway. The term“Virtual Private Network” (VPN) refers to a secure and encryptedcommunications link between nodes on the Internet, a Wide Area Network(WAN), Intranet, or any other network transmission means. While the VPNnodes may communicate with each other, it is virtually impossible for ahacker to either comprehend the meaning of the signals or send signalsthat are believed to be authentic. One example of a securecommunications technology that is designed to facilitate a VPN is theSecure Sockets Layer (SSL). It is contemplated by this application thatthere may be much better techniques other than SSL that may be deployedin order to scramble the data for content downloads. It is well known inthe industry that other extremely effective scrambling techniques existand are commonly used. Although SSL is a transport protocol, otherscrambling techniques that are not transport protocol may be utilized.The non-SSL techniques may simply be techniques that will quickly andefficiently scramble and likewise unscramble the data that is beingtransmitted via the network.

While a VPN may be conducted on a private network, it may additionallybe conducted on a public network as well. A VPN may include, forexample, one or more client devices connected to a combination of webserver(s), video archive server(s), source server(s), or Multi-PointControl Units (MCUs), which are secured using state-of-the-art securitytechnologies.

In addition, the connectivity to the network may be, for example, via aremote modem, Ethernet (IEEE 802.3), Token Ring (IEEE 802.5), FiberDistributed Datalink Interface (FDDI) or Asynchronous Transfer Mode(ATM). The network 116 may additionally connect to the client device 115by use of a modem or by use of a network interface card that resides inthe client device 115. The server computers 108 may be connected via awide area network 106 to a network gateway 104, which provides access tothe wide area network 106 via a high-speed, dedicated data circuit.

Devices other than the hardware configurations described above may beused to communicate with the server computers 108, 110. If the servercomputers 108, 110 are equipped with voice recognition or DTMF hardware,the user 102 may communicate with the server computers by use of atelephone 124. Other examples of connection devices for communicatingwith the server computers 108, 110 include a portable personal computer(PC) 126 with a modem or wireless connection interface, a cableinterface device 128 connected to a visual display 130, or a satellitedish 132 connected to a satellite receiver 134 and a television 136.Still other methods of allowing communication between the user 102 andthe server computers 108, 110 are contemplated by this application.

Additionally, the server computers 108, 110 and the client device 115may not necessarily be located in the same room, building or complex. Infact, the server computers 108, 110 and the client device 115 could eachbe located in different physical locations, for example in differentcities, states or countries. This geographic flexibility which networkedcommunications allows is within the contemplation of this application.

FIG. 2 is a block diagram of an example of a system overviewarchitecture. The user devices 115 and network 116 are as describedabove in relation to FIG. 1. The user may obtain content media byinitiating a transaction with a user device 115. A typical transactionmay include the actions of initialization, authenticating the user,retrieving or storing a digital certificate, searching for and selectingcontent, payment, generating a watermark and embedding in the content,and transferring the content to the user. These actions will bedescribed in further detail with regards to FIG. 3. A non-exhaustivelist of several transactions includes a download session, a streamingsession, a peer-to-peer session, a transfer to another user, a gift toanother person, and re-sale of digital media files.

Transactions containing sensitive data may have the appropriate fieldsencrypted prior to storing and similarly be decrypted after retrieval. Asecure link may be established between the customer site 270, thecontent distribution system 200 and the user device 115. The contentdistribution system 200 can include one or more servers 108, 110 asshown in FIG. 1. The customer site 270 may be, for example, a mediacontent provider, media content distributor, or other customer system,also in the form of a server. Thus by encrypting the content data as itis transferred, a VPN may be established between the content and theuser. This secure content distribution system is referred to hereinafteras a Content VPN.

An embodiment of a content distribution system site 200 may include aninterface module 250, which can provide an easy-to-use and consistentuser interface across the plurality of possible types of user devices115. In one embodiment, this interface module 250 is a software moduleexecuting on a processor of the content distribution system 200.Additionally, it is also contemplated that portions or the entirety ofthe interface module 250 may execute at a user device 115 or at acustomer site 270.

An archive server 240 may act as a temporary storage area or bufferbetween the customer site 270 and the user device 115 during contentdownload. The archive server may comprise copying, encrypting, archivingand decrypting the media content, or any other type of binary or textdata as well. When the consumer has been granted the ability to downloadcertain content materials, the content materials now accessible to theconsumer may be updated in the archive server 240 buffer for thatconsumer. In this way, the archive server 240 buffer may contain eithera pointer to the media content or the actual media content itself. In afurther embodiment, a number or string of characters that uniquelyidentify the content ordered by the consumer can be used rather than apointer to the media content data. As one skilled in the art willrecognize, the archive server 240 may be on a single computer ordistributed across multiple computers.

Additionally, when downloading the media content material, the archiveserver 240 may be accessed in order to retrieve a pointer to the mediacontent data or to locate the content data on the storage facilitieswithin the archive server's 240 buffer. The media data stream may bebuffered by the archive server 240 to enable both the encryption of thedata stream and watermarking to be added to the data stream.Additionally contemplated is that the media streaming data may bebuffered at other locations as well.

In one embodiment, the archive server 240 buffer is a computer database.This archive database 244 may reside on a database server that isaccessible via the Internet, or may alternatively reside on an internalIntranet accessible only by the content distribution system 200 or thecustomer site system 270. This archive database 244 may be accessedusing various database access tools well known by those skilled in theart, such as SQL, LDAP, ODBC, or other database protocols.

In one embodiment, the content distribution system 200 includes a masterdatabase 218. The master database 218 may additionally reside elsewhere,for example at the customer site 270, or on a database server that isaccessible via the Internet or another communication network. Thismaster database 218 may be used to store a copy of each media contenttransaction that has occurred in the transaction database 214, as wellas information useful for tracking and auditing purposes to identifydigital content that is being inappropriately copied and shared inconnection with the Automatic Legal Action Management (ALAM) module 220.In one embodiment, a software module executing on a processor of thecontent distribution system 200 will be responsible for scanning userdevices 115, customer sites 270 or other public network-accessibledevices looking for copies of digital content that has been watermarkedby the content distribution system 200. In the event an inappropriatecopy is found, the master database 218 will contain information pointingto the original purchaser who can then be contacted for potential legalaction, payment of a suitable royalty fee or other actions.

In one embodiment, certain fields in the master database 218 may containsensitive information such as a customer name, digital certificate, orencryption key, and will be encrypted using a one-way hash algorithm toprevent unauthorized access by others. To provide an additional layer ofsecurity, the master database 218 server only accepts connections fromdesignated transaction servers. The master database 218 may see highvolumes of access requests, requiring a high capacity server, amultitude of database servers, or other manner of enhancing databaseaccess.

The Certification Authority 260 refers to the entity that will issue,validate, revoke, and otherwise manage the digital certificates for thecontent distribution system 200. In one embodiment, the CertificationAuthority 260 may be a large and well-known corporation that hasestablished itself as being a trusted authority in the industry. It isadditionally contemplated that virtually any entity, large or small, mayperform the functions that are required of the Certification Authority260. In a further embodiment, the content owner, customer site 270,content distribution system 200, cable or satellite television provider,telephone company, or other network 116 access provider may perform thecertification functions. In one embodiment, the Certification Authority260 may perform various operations using one or more servers, includingbut not limited to:

1) Validate a certificate when consumer enters the content distributionsystem 200 or customer site system 270.

2) Issue encryption key pair to the consumer's device or device gatewayor use existing public/private key pair for this user/certificate.

3) Issue digital certificate(s) to a user's device or device gateway ifit is a new device or user that needs a digital certificate.

4) Revoke a user's digital certificate(s).

5) Perform other operations relating to the management of digitalcertificates.

The Automated Legal Action Management (ALAM) module 220 includes anautomated system for detecting and reporting unauthorized transfers ofwatermarked data streams. The ALAM module 220 reduces the amount ofdetective and legal work that would be required by the content rightsowners and license holders of valuable content materials.

As is known by those in the art, software programs commonly referred toas “ferret” programs, web crawler programs, “robot” programs, or “bots”are designed to access a public network 116 such as the Internet andlook for certain pieces of information. In one embodiment, a ferretprogram accesses web sites, links to other web sites, FTP sites,databases, or subdirectories on PCs providing the consumer has givenpermission for one or more designated subdirectories to be accessed.Additionally, the ALAM module 220 searches other networks besides theInternet, including but not limited to mailbox systems and Intranetsystems, provided that the ALAM module 220 has authorization to connectand log-on to these networks.

In one embodiment, while searching these various networks, databases, orstorage facilities, the ALAM module 220 only downloads content filesthat meet predetermined criteria. Predetermined criteria refers to theALAM module 220 only downloading files that are determined to have ahigh probability of being in a place that is not approved by the rightowner.

A ferret program may look for content materials that have predeterminedmarkings within the file that prove the data are content that have beenpreviously watermarked by the content distribution system 200. Once aferret program locates such a file, the watermark or watermarks may belocated and a command issued to the Certification Authority 260 toauthenticate the validity of the digital certificate ID. If theCertification Authority 260 reports the watermark as being valid, anattempt is made to find a digital certificate on the device and comparethe digital certificate ID numbers for a match. If no match of digitalcertificate ID numbers may be made or if the digital certificateinformation for the device cannot be obtained, a counter will accumulatefor that selection of content and that digital certificate ID number.Once the counter reaches a predetermined threshold number, a letter maybe automatically generated and sent via e-mail, postal service, or otherdelivery method to the owner of the digital certificate.

In one embodiment, the ALAM module 220 requires that the content piratepay a copy charge for each copy inappropriately transferred to anotherperson. For example, a pirate may download content with a valid digitalcertificate ID number embedded within the content. This same pirate maycopy this content file containing their digital certificate ID number toa content sharing facility that is available to the public at large.Examples of such content sharing facilities are Napster and Gnutellasystems, although there are others as well. Having made this contentavailable to the public at no charge, the content file containing theresponsible person's digital certificate ID number may be copied a largenumber of times as peer groups share content with other peer groups,typically at no charge and often in violation of the owner's rights.

In one embodiment of such theft detection of content data, many of thecopies of the content file containing the digital certificate ID numbermay be located and a copy charge may be determined based on the numberof copies inappropriately distributed. Once such a copy charge isdetermined, the pirate may then be charged for the piracy. One exampleof a way to determine a copy charge is to multiply the number of piratedcopies of content by the retail price for that content file. There areother ways to determine a copy charge as well, which are also within thecontemplation of this application.

In another embodiment, upon determining the appropriate copy charge, thepirate may be notified via e-mail, postal mail, registered mail, inperson, or by other allowable manners of notification. The pirate may begiven various payment options, for example to pay the full amount dueimmediately, make payments in accordance with a payment plan, pay anamnesty amount in addition to the promise to cease using public contentsharing sites, or other agreed upon restitution options.

In addition, it may possible the pirate's credit card may be chargedautomatically as long as the pirate has agreed to this conditionbeforehand and this agreement can be authenticated as being signed, i.e.agreed to, by the pirate. It is further possible to make softwareprograms available to the pirate that will monitor content sharingfunctions that might take place without the pirate's knowledge. Such asoftware program can be downloaded and installed on a client-side PC orother user device 115. When a content sharing application is accessed,the user may be alerted or the content sharing application may be shutdown if the user so desires. In the event a pirate refuses to pay, anappropriate “refusal of payment” report may be sent to the major creditreporting agencies. In this way, piracy is simply handled as an ordinarye-commerce transaction where a responsible party refuses payment.

To further facilitate the collection of pirate charges, the “E-Sign” lawin the US and many similar laws around the world may be leveraged toboth prove (in court if necessary) the responsibility of the person whoinappropriately distributed the copyright materials and compel theresponsible person to make the appropriate restitution to the owners ofthe copyright materials. In addition, further such automated legalactivity may be initiated if another selection of content using the samedigital certificate ID is generated in the future.

These ferret systems may find many occurrences where content data hasbeen inappropriately downloaded and distributed to unauthorized users.In one embodiment, the content and license owners do not need tophysically track and prosecute these hackers, as the detection andprosecution procedures are performed automatically. Where content datahas been inappropriately distributed to unauthorized persons, it isassumed that the user has decrypted the data and has made at least onecopy of the decrypted data that still has the watermarks inside the datastream.

In addition, there are other well-known and common methods for searchingfor watermarks within content data that are being transmitted over agiven network. These methods may be used to detect the inappropriatetransmission of watermarked content data and automatically initiatelegal actions. Such additional methods of detection and enforcement arewithin the contemplation of this application.

Additionally, an encrypted message may appear in the content that canonly be decrypted using the consumer's public key, which indicates thatthe consumer's private key was used to encrypt the message. If thedecryption process yields a clear text message that is previously knownto the customer site 270 B2C partner, it is certain that the consumerhas been authenticated as being the person responsible for the contentdownload.

In one embodiment, as the ALAM module 220 performs its operations, itmay encounter media files that either have no watermarks or thewatermarks cannot be identified or authenticated. When such contentfiles are found without watermarking, a statistical database may beupdated, however no legal activities or other types of enforcement maytake place unless there is a requisite level of evidence proving piracy.

In one embodiment, the ALAM module 220 will consider several factorsregarding various media content. For example, it is appropriate for theowner of a CD-ROM to resell it, for example to a store in the businessof reselling used CD-ROMs. In addition, it is also appropriate to shareCD-ROMs with friends and family. This same principle applies to digitalelectronic files as well. Content files may appropriately travel tovarious destinations. By providing a system and a facility for allowingthe electronic signing of the content file digital certificates ortransactional IDs, it is possible to prove that the user appropriatelyhandled content files. By examining the watermarked digital certificateor transactional ID for a particular content file and then examiningeach time the digital certificate or transactional ID was signed, it ispossible to see how the content file was appropriately transferred fromlocation to location. In this way, for example, a retail establishmentsuch as a reseller of CD-ROMs or DVDs may wish to have these physicalcopies electronically signed in order to prove that the disks have beenobtained legally and are now the property of the retail establishment.

In another embodiment, to further enable the ALAM module 220 to enforceowner's rights, it may be possible to offer a plurality of incentiveprograms to consumers to encourage them to help track the movement ofcontent files. For example, a consumer may be encouraged to go to aparticular web site and register each new CD-ROM or DVD that ispurchased. By doing so, the content VPN described in this applicationmay electronically sign the digital certificates while moving from placeto place. As a reward for such content registration, the user mayreceive valuable rewards, products, or services in return.

An example of this content registration and tracking may include:

1) Assigning a unique digital certificate or transactional ID andembedding the serial number within the watermark

2) Providing the consumer with registration incentives, such asproviding one free copy of content for every 10 content files that areregistered

3) Electronically signing the digital certificate at the appropriatecontent system

4) Allowing the consumer to decide to transfer ownership of the contentto another

5) Performing the approved content transfer, for example via a website

6) Electronically signing the digital certificate at the appropriatecontent system using the private key of the original owner, or theprivate key of the new owner, or both, to prove it was appropriatelyauthorized.

A Global Digital Rights Apportionment System (GDRAS) 230 makes itpossible to apportion the money that is designated for artists,copyright owners, content owners, and other deserving entities in anefficient manner. A GDRAS 230 monitors digital certificates that areissued specifically for content files. In addition, the GDRAS 230 checksthe transaction database 214 for the total amount of money collectedfrom the user, and apportion all monies collected appropriately. In somecases, money will go to customer sites 270. In other cases, money willgo to royalty collection bodies, for example the Recording IndustryAssociation of America (RIAA), or other appropriate individual orentity.

A Copyright Registry System 234 allows artists, copyright owners, andother content owners to register their valuable digital content. Anembodiment of a Copyright Registry System 234 includes the following:

1) The consumer may use the user device 115 to log on to the CopyrightRegistry System 234, for example by accessing a web page. A check ismade to determine if the consumer has a valid digital certificate orprivate key/public key pair. If not, or if they are out-of-date, thenthe Copyright Registry System 234 may prompts the user as necessary toobtain a new and valid X.509 digital certificate/private public keypair. The Certification Authority 260 may be used to issue necessarydigital certificates or key pairs as described in detail above.

2) The consumer may be prompted to identify the type of content to beregistered. For example, the consumer may wish to register one or moreof the following types of content: music, books, multi-media, video,software, printed media, or other types of digital media content.

3) Once the consumer accurately identifies the type of content toregister, the following operations may take place:

a) The consumer formally requests that the content file be registered.The payment 340 portion of the Transaction module 210 may be updatedappropriately.

b) The content file may be uploaded to a Copyright Registry System 234website

c) The Copyright Registry System 234 website may issue a new and uniqueX.509 digital certificate or unique message for the content file

d) The Copyright Registry System 234 website watermarks each contentfile with a serial number or message for each new and unique digitalcertificate issued

e) The Copyright Registry System 234 website may optionally encrypt aclear text message with the user's private key and store this encryptedmessage within the watermark as well. Only the Copyright Registry System234 website may be able to decrypt the user's private key. This may bereplaced by the optional operation of signing a clear text message withthe content owner's private key and storing the signed message withinthe content using watermark technology.

f) The Copyright Registry System 234 website may optionally add a cleartext message with the user's public key and then store this messagewithin the watermark as well. Content owner's public key does not needto be encrypted.

g) The content distribution system 200 may then communicate with thearchive server 240

h) The archive server 240 may then store transactional data in atransaction database 214

i) The archive server 240 may additionally store the consumer's publickey

j) The archive server 240 may additionally store the watermarked contentfile

k) The archive server 240 may additionally store the clear text messagein its database

l) The archive server 240 may finally store a list of e-mail addressesfor the users of the service. This list of e-mail addresses may be usedto communicate with the users of this Copyright Registry System 234.

m) The archive server 240 may transmit a fully watermarked copy of thecontent file back to the user's device 115 via an FTP transfer or e-mailmessage

4) An e-mail message back to the consumer typically may contain athorough explanation of the following:

a) The watermarking process

b) The digital certificate information

c) The method for searching for the watermark and the digitalcertificate

d) Helpful software programs, tools, and applications available to theconsumer easily obtained from the web or other public network

e) Other pertinent information

5) Transmit a copy of the watermarked content file to be electronicallyfiled with a governmental patent and copyright office such as the U.S.Patent and Trademark Office or the Copyright Office

The benefits of the Copyright Registry System 234 include:

1) The watermarked copy of the user's content may now be distributedover the network 116

2) An X.509 digital certificate or signed message is generated to provethe authenticity of the person who filed the content with the CopyrightRegistry 234

3) A clear text message in the watermark within the archive server 240may further prove the authenticity of the person who filed the contentwith the Copyright Registry 234. The authenticity of the watermark maysimilarly be established.

4) A copy of the watermarked content may remain in the archive database244

5) A copy of the watermarked content may be transmitted to agovernmental patent or copyright agency for registration and protection

With a Content Registry system 234, a player of content may check theregistry to see if an identical digital certificate is being played byanother player device. This may be achieved by communicating with theCopyright Registry 234 on-line using a network 116, for example theInternet, an Intranet, or other network. Certain in-use switches may beset to indicate that a user is currently using a particular contentfile. Following is an example of this. A software program that has beenpreviously registered with the Copyright Registry 234 is initiated by anend user. During the program initialization process, the CopyrightRegistry 234 is checked to see if someone else is using the samesoftware program with the same digital certificate. If so, then piracyhas been detected and the author or publisher may decide how best tocommunicate an appropriate message to the parties using the software. Ifa no match condition is found, the content file plays normally. When thecontent file reaches its end, then the Copyright Registry 234 may beupdated to indicate that the content file and the digital certificatefor that content file are no longer being played. An in-use switch willbe set back to False, Null, Zero, or other value that indicates thecontent is no longer being played.

FIG. 3 is a flowchart of a process of conducting a media contenttransaction performed by the Transaction module 210 of FIG. 2. Each ofthe blocks of FIG. 3 represents a series of actions or steps. Thesesteps can be carried out by the Transaction module 210 and/or can becarried out by sub-modules within the Transaction module 210 with eachblock representing one of those sub-modules. Alternatively, variousmodules of the content distribution system 200 can perform one or moreof the steps depicted in FIG. 3.

The process begins with an Initialization step 310. If this is the firsttime this particular user has attempted to log on to the contentdistribution system 200, the Initialization step 310 gathers certainaccount information from the user, for example a desired account name(which must be unique) or password, legal name, complete address, socialsecurity number, out-of-wallet verification information such as mother'smaiden name, credit information, voter registration information, orcredit card information. In another embodiment, the Initialization step310 collects smart card, phone card, or other payment card informationfrom the user for payment of account charges. For the user's that havealready gone through this account set-up process, the Initializationstep 310 only prompts for the account name and password.

In one embodiment, it will be necessary for the user and potentialconsumer to assent to a signed, legally binding agreement before beingallowed to purchase and download media content data. For example, theagreement may state that the user will not inappropriately distributecopyright materials without the necessary permission from the mediarights owner. For added security, the agreements may be encrypted sothat only the appropriate people can view these agreements. The userwill need to be able to clearly read the terms and conditions forproperly handling electronic copyright materials. Furthermore, the usermust agree not to inappropriately distribute this copyright materialunless express permission is granted by the rights owner.

Once the user has entered into such an agreement, the recently signedE-Sign law will provide protection to the media rights owners anddistributors of such copyright materials. Such an agreement may beconsummated by having the end user simply click a button labeled “IAgree”, or something similar, while the terms and conditions are beingprominently displayed on the screen by the Initialization step 310. Byclicking on a button labeled “I Agree”, a binding agreement comes intoexistence between the end user and the rights owner.

In order to prove the agreement was consummated by the end user, it willneed to be “signed” by using the user's private key to encrypt some orall of the agreement, or evidence of the agreement, that the userapproved. In doing so, it will be relatively easy to demonstrate thatthe user did in fact agree to the terms and conditions of the agreement,with the user's public key performing the decryption process to provideadequate proof. In a further embodiment, the user may optionally requestto review the agreement with all its terms and conditions should the enduser wish to refer to this agreement. Therefore, the agreement may bestored in such a way as to be easily accessible to the end user. Such anagreement may be stored at the Certification Authority 260, thetransaction database 214, customer site 270, or other locations wherethere is adequate storage and access over the network 116.

Once all necessary account information has been transmitted by the userand the user has affirmed this information as being correct andcomplete, the Initialization step 310 verifies and authorizes thepayment card information obtained from the user. For example, an on-linemethod may be used by the Initialization step 310 to check the name,social security number, address, and other information with one or morecredit card companies 280 of a user. Additionally, it is possible forthe Initialization step 310 to require that a credit card or smart cardnumber be entered into the VPN in order to allow certain people accessto certain accounts. When this credit card information is entered,verification processes can be initiated by the Initialization step 310that will further verify and authenticate the identity of the user. Inone embodiment, smart cards, phone cards or credit cards, for example,containing user verification information may be scanned into a mechanismsuch as a credit card scanner and the information previously written tothe magnetic strip of the card can be used by the Initialization step310 to verify a user on the Content VPN.

In a further embodiment, verification information may be written by theInitialization step 310 to credit cards, for example MasterCharge orVisa cards. Verification information may additionally be written tophone cards, for example AT&T Phone Cards or MCI Phone Cards.Additionally, verification information may be written to smart cardsthat are used solely to identify a user on a computer system. On certainVPN applications it is possible that a user may scan or swipe the cardin order to gain access. The verification information scanned from thecard may be saved along with the streaming video and the encryptionkeys.

Such a payment card may be used to allow a user to access a publicterminal for the VPN. If such a user device 115 is available to thepublic in a public location, for example at a hotel or airport, it willbe important that either a biometrics mechanism or a payment card ofsome type be scanned for user verification information by theInitialization step 310. A biometrics mechanism refers to certaintechniques that exist today for verifying the identity of anyindividual, for example a retinal scanner (i.e. eye scanner),fingerprint scanner, thumbprint scanner, DNA scanner, or other type ofbiometrics scanning mechanism. In one embodiment for using a biometricsdevice, the biometrics device may be used along with the encryption keysand digital certificates. The scanned image created by the biometricsscanner may be saved along with the agreement. The scanned imagecontaining biometrics information may additionally be saved along withthe session and public encryption keys as well.

A public terminal for the VPN may be similar to a desktop PC, howeverthe card may act as the memory device for the user during the session atthe public terminal. The public encryption key may reside on the card aswell as other important verification information. Additionally, thedigital certificate information may be written to the magnetic strip onthe card as well by the Initialization step 310. For example, theinformation on such a card may include, but is not limited to, name,address, social security number, date of birth, credit card information,public encryption key, or private encryption key. This type of publicterminal may enable a user to access a Content VPN while travelingpotentially anywhere in the world.

The Transaction module 210 process includes an Authenticate User and GetDigital Certificate step 320. One way to protect electronic mediacontent over a public network is to use digital certificate technologythat is defined by the X.509 protocol defined by the well-known IETF andITU Standards Committees. Digital certificate technology has beenavailable for decades for securing web sites, e-mail, FTP transmissions,VPNs, and other communications techniques over public networks,including the Internet. Several leading companies that have deployeddigital certificate technology are Verisign, CyberTrust, Thawt, and RSA.These companies have worked diligently to bring digital certificatetechnology into everyday practice for multitudes of users on theInternet. It is likely, if not practically imminent, that digitalcertificate usage will soon become the rule rather than the exception.

A well-known concept developed by the telecommunications standardscommittees and companies such as RSA includes issuing to a user on anetwork two encryption keys. This Public Key Infrastructure (PKI)information consists of a pair of keys, a public key and a private key.The public key can be published to friends and partners around theworld. The private key is always kept on only one computer, mobilephone, hand-held device, television set, or other user device 115. Atleast one key, either the Public or Private key, is required to be storesuch that it is available to the user device 115.

After the Certification Authority 260 (see FIG. 2) generates a pair ofsuch encryption keys, a digital certificate may also be created. Thedigital certificate provides the necessary links back to a company orperson who can be trusted. This trusted company or person is called aTrusted Authority (TA). When a computer, mobile phone, hand-held device,television set or other user device 115 has an encryption key pair and adigital certificate issued by a TA, then the device is considered to besecure.

Virtually all Web Browser programs, including for example Netscape andInternet Explorer, have a mechanism to store and manipulate encryptionkeys and digital certificates. It is common to see an area reserved forthe creation, storage, and usage of digital certificates under the menuitem named “options” or “preferences” in such Web Browser programs.

The architecture of the content distribution system 200 disclosed inthis application may be designed in such a way as to use digitalcertificates that are generated by a multitude of digital certificateauthorities, many of which may even be generated from countries otherthan the United States. Since it is contemplated that the contentdistribution system 200 will be an international network, it isanticipated that customers as well as business from different parts ofthe world will prefer to purchase digital certificates from aCertification Authority 260 that might be physically located close tothe customer or business. It is also anticipated that the digitalcertificate business will become an enormous industry over the nextdecade. In one embodiment, the providers of the VPN themselves mayadditionally generate and issue digital certificates designed around theX.509 protocol.

As these digital certificates are issued to the various content sourceBusiness-to-Consumer (B2C) partner customer sites 270 and user devices115, it is important that a person responsible for the transactions onsuch a content VPN be authenticated. The term “authenticated” refers toensuring a responsible person is positively identified as being liablefor a transaction. Without a robust authentication process, unauthorizedpersons, for example hackers, may enter such a content VPN and downloadcontent files with no intention of paying. Likewise, the contentprovider will have no idea who is the person responsible for thedownloaded content data. There are many ways to authenticate people overa public network such as the Internet, several of which are describedherein to provide examples of such.

In one embodiment, the method for authenticating a consumer may be bythe Authenticate User and Get Digital Certificate step 320 verifyingthat the consumer's credit card is active and in good standing. Since abanking organization at one time issued credit to this user, theAuthenticate User and Get Digital Certificate step 320 may assume thisperson has completed an interview process and has signed the appropriatelegal documents.

There are many ways for such an Authenticate User and Get DigitalCertificate step 320 to authenticate a consumer using a credit card,including for example:

1) Making a request to authenticate the consumer's credit card throughthe Certification Authority 260, which may pass the request forauthorization on to the transaction database 214, to the Transactionmodule 210, and then to the credit card company 280.

2) Making a request to authenticate the consumer's credit card directlyto the credit card company 280.

3) The B2C partner customer site 270 authenticating the consumer bygoing directly to the credit card company 280 that is being used.

For a consumer to create a digital certificate in the industrypresently, the consumer must contact a trusted certification company,for example Verisign. Verisign will then take steps to verify theconsumer is authorized to use certain network resources. Once Verisignis satisfied that a consumer should be granted network access, it sendsa digital certificate to the consumer using various transmissionmediums, for example via a network transmission protocol, an applicationprogram that will create the digital certificate on the consumer's harddrive, a floppy disk drive or other similar external storage medium, orother suitable transmission mediums.

A digital certificate is typically a small data file that can betransmitted or loaded into a web browser or e-mail applications program,although other digital certificate formats are contemplated by thisapplication. Digital certificates typically have an area of storagewithin the file set aside called the Certificate Policy Statement (CPS).The CPS may be a text-based field inside the digital certificate that isdesigned to store individualized information about the consumer on thenetwork. This CPS area of the digital certificate may hold a pointer, orlink, to a website that has a copy of the signed, binding agreementbetween the network customer site 270 and the user. In this way, allparties may review and otherwise refer to the agreement at virtually anytime by using an application software program that captures a signatureusing mouse or pointer technology and transmitting the signature to theVPN provider, or other current or future means for capturing andtransmitting the consumer's personal or private authorization.

Once placed on a specific user device 115, a digital certificatetypically cannot be readily moved. When placing the digital certificateon a user device 115, a consumer and a content distribution system 200issue and receive digital certificates with each other for the purposesof transmitting electronic media files. The consumer is verified aslegitimate by a trusted authority and a digital certificate is issued ona specific hardware device on the network. At this point, it is possiblethat a crafty person (i.e. hacker) may log-on to an unsecured computercontaining the appropriate digital certificates and masquerade as eithera content provider or a consumer.

For this reason, other security precautions may be taken. The CPS mayadditionally contain a password that must be correctly matched by thelegitimate consumer at the time the hardware device containing thedigital certificate logs on to the VPN. If an attempt to enter thepassword fails more than a predetermined number of times, the digitalcertificate may be immediately revoked by the Authenticate User and GetDigital Certificate step 320 until a further investigation may beconducted.

It may be that all hardware equipment used by a network client must besecured with the appropriate passwords and security measures. Thisdeters a crafty person from gaining unauthorized access to the hardwaredevice. Additionally, it may be that all applications programs such asweb browser programs and e-mail programs used during a VPN session besecured with the appropriate passwords and physical security means aswell. An additional security measure may be a requirement that theconsumer sign a release of liability claiming that the physical hardwaredevices are not misused or misappropriated or otherwise misused becausethe proper security measures were ignored.

Digital certificates may be used to enable parental controls to restrictaccess to minors of certain content. Each digital certificate issued toa device may contain a field indicating the appropriate level ofexposure to sex, violence, or irreverence allowed for a particularplaying device. If the device does not allow a digital certificate to beupdated, or if the device cannot store a digital certificate at all, theuser must indicate the level of exposure to sex, violence, orirreverence and capture this information in the transaction database214. When the user selects content, a query is performed to determine ifany parental controls are selected. If one or more parental controls areset, then an appropriate error message may appear if the level ofexposure to sex, violence, or irreverence exceeds that which has beenpreviously established.

Log files may be used extensively throughout the VPN. Each time an eventtakes place, an adequate message may be written to a log file. Log filesmay exist at many locations, including at a user device 115, contentdistribution system 200, Certification Authority 260, transactiondatabase 214, customer site system 270, some independent agent orauthority, or other logical or physical databases or locations. Log filecontents may include the following information:

1) Messages indicating noteworthy events

2) Date and time

3) Public keys that were used

4) Session keys that were used

5) Other noteworthy encryption keys

6) Other information that may be helpful

In one embodiment, although the user must answer questions and becomeauthorized by the Authenticate User and Get Digital Certificate step 320to use the network, the actual issuance of the digital certificatesshould be as easy to use and transparent as possible. To be successfulin the marketplace, the consumer should be able to answer a fewquestions, for example via interactive prompts or by filling out anonline form, and be able to use the content distribution system 200within a few minutes. Although the technology involved is significantlycomplex, the capture of necessary information and the issuance of thedigital certificates must be simple and nearly transparent to theconsumer.

In one embodiment, each device has some example of a unique ID. Thisunique device ID may be used for a variety of purposes, for example forcalculating the necessary values to properly build the key andcertificate files for creating encryption keys and digital certificates.This application contemplates other purposes for which the unique deviceID may be used.

Most user devices 115 typically include some type of unique number orcode that positively and uniquely identify the device. For example, insome cases a sequential number is generated and embedded within thehardware, a database record, or the software running on the user device115. Access to this unique number is usually an uncomplicated process.An example of accessing such a unique number is a simple query into oneof the registry files found within Microsoft Windows operating system.

An example of a more state-of-the-art method for uniquely numbering userdevices 115 is to generate either, as would be known to one skilled inthe art, a Universally Unique ID (UUID) or a Globally Unique ID (GUID)by randomly generating a huge number that is statistically unique andthen embedding this number within the hardware, a database record, orthe software running on the user device 115. Other examples of uniquenumbering techniques include using the MAC Address, for example for anetwork interface card, or using a static IP address as the uniquedevice ID number.

It is contemplated by this application that in the future devices suchas CD players, DVD players, MP3 players, other music players, and otherconsumer electronic devices may already have digital certificatesbuilt-in from the factory. In this case, either the information embeddedwithin the digital certificate or a copy of the digital certificate mustbe transmitted to the Certification Authority 260 by the AuthenticateUser and Get Digital Certificate step 320. Once the CertificationAuthority 260 receives this digital certificate information for thisdevice, the streams of encrypted and watermarked data may then commence.

In one embodiment, the Authenticate User and Get Digital Certificatestep 320 will capture such a unique device number and use it to furtheridentify the user device 115 on the network. After capturing this uniquedevice identifier, the system may save this identifier to one or moredatabase fields that are associated with the digital certificate. TheAuthenticate User and Get Digital Certificate step 320 can use theuser's digital certificate plus this unique device ID number to furtherauthenticate both the device on the network and the end user who hasaccess to this device.

It would not be unusual for any given user device 115 to have numerousdigital certificates as it logs on to new websites and performs otherWeb or Internet operations. As it is possible and even common for PCs tohave multiple digital certificates, it is also possible to have multipledigital certificates for consumer electronic devices and other types ofuser devices 115 as well. This multiple digital certificate capabilityadds flexibility for the consumer as the data streams may be accessed ina continually expanding number of ways. In addition, it is contemplatedthat new encryption methods may be employed that work for a group ofdevices rather than merely one single device.

It is contemplated by this application that each user device 115 willhave some way to both store and manage digital certificates, althoughthis may not always be the case. If the user device 115 is a PC, forexample, the digital certificates may be stored within the Internetbrowser program, or within an e-mail program, for example, MicrosoftOutlook, or Outlook Express. However, it is not the case that thedigital certificate may only be stored within the digital certificatedatabase in the browser or e-mail program. Digital certificates may alsobe stored virtually anywhere that has sufficient long-term storagecapacity. One such example is a separate database in such a way as to beaccessible by virtually any Internet or Web system or a language such asJava, VB Script, HTML, for example. Providing access to digitalcertificates stored outside of a Web browser may allow for a moretransparent user interface, as the user will not be asked questions bythe browser program as it is loading new digital certificates into thebrowser database. Such questions may include, for example: “Are you sureyou want to load this digital certificate?”, “This digital certificateis not trusted. Are you sure you want to proceed?”, “Please select thedigital certificate you would like to use?”, or any number of other userprompts or questions.

In the embodiment where digital certificates are kept in a separatedatabase, the database may exist on a separate subdirectory of a device.Additionally, such a database of digital certificates may be stored withother files on a device, or within a user device 115 software program.It is therefore contemplated that the Web browser may not be necessaryin order to create the content VPN and there are a multitude of placeswhere digital certificates may be stored and accessed by the user device115.

In another embodiment, the digital certificates may be stored within adatabase at the Certification Authority 260. In addition to the digitalcertificates, other database fields may similarly be stored, maintained,or administrated from the Certification Authority 260. Severaladvantages for keeping the database of digital certificates and otherdatabase fields on the Certification Authority 260 are quicker andeasier access of the digital Certificates and other database fieldsbecause there is no need to request this information from another systemlocated elsewhere on the network 116.

The Transaction module 210 process includes a Search For and SelectContent step 330. The customer sites 270 of valuable content materials,for example videos, music, books, software, multi-media, and other mediacontent, hereinafter referred to as content data, may have their libraryof content materials located on their own servers, or on a serveraccessible over the public network 116. Content data typically may be inthe form of computer files for video, audio, program, data or othermultimedia content, as well as actual physical copies of valuablecontent, for example CD-ROM, DVD, VCR, Audio, TV or radio broadcasted,streaming audio or video over networks, or other forms of content. Thesecustomer sites 270 may deploy parallel systems for added protection incase of a failure.

In another embodiment, the customer sites 270 may be able to store theirvaluable content on the archive server 240 as well. In the event acustomer site 270 may go out-of-business, it is possible to move thecontent in the archive server 240 so there is no disruption in service.Additionally, the archive server 240 may act as a temporary storage areaor buffer while downloading data between the content source and the userdevice 115.

In one embodiment, when the user's digital certificate is determined bythe Certification Authority 260 to be authentic and there are noproblems with either the certificate or the consumer's account, theconsumer may be allowed access to a multitude of network services,functions and information by the Search For and Select Content step 330.Once the consumer has connected to the content distribution system 200,or alternatively to a customer site 270 system, the consumer will haveaccess to a multitude of network services, functions and information,including but not limited to the following:

1) A list of major content categories

2) A list of content items within each major content category

3) Parental controls or reviews of the each content item

4) A list of content items purchased by the consumer

5) Samples of content files that can be sampled or viewed

6) The consumer's account status

7) Advertisements and special promotions on certain content items

8) Download latency times that can be expected for certain downloads

9) Players and other software tools that can be downloaded that willhelp the consumer play or otherwise enjoy the content materials

10) Hardware devices and appliances that can be purchased and shipped tothe consumer in order play or otherwise enjoy the content materials

11) Shipping and handling information that will be helpful if theconsumer wishes to receive a physical copy from the content provider

12) A list of player devices registered for this user, for example MP3players, computers, set-top boxes, Internet radios, cellular telephones,or other devices

13) Control functions to allow selling, moving, or copying content toother customers, or other players owned by the customer

The Transaction module 210 process includes a Payment step 340. When aconsumer decides to purchase and download content, that consumer placesan order with the content distribution system 200 or one of a pluralityof customer sites 270. This order may include the following oradditional specifications from the consumer:

1) Save content to a file

2) Stream content to a device

3) Begin download immediately

4) Set a timer to deliver content at a specified date and time in thefuture

5) Deliver content to more than one device simultaneously

6) Provide subtitles for translation purposes or for the hearingimpaired

7) Provide password protection to play content

8) Block content from being transferred if it contains explicit,violent, or otherwise harmful material

9) Language translation

When an order is placed, a transaction entry will be made in thetransaction database 214 along with the specifications requested by theuser. At any time the consumer or the administrators of such a networkmay view the transactions that have occurred in the transaction database214.

If the consumer has made a purchase, the Payment step 340 mayautomatically charge the consumer's account, for example credit card,phone card, smart card, or other payment method. The Payment step 340may automatically pay all of the fees and royalties required by thecustomer sites 270, by copyright law, or by any other laws or agreementsthat are in effect.

The Transaction module 210 process includes a Watermark step 350. Aneffective way of identifying books, CDs, software and other such mediaproducts is to place a virtually invisible mark on the product itselfthat will uniquely identify the product, where it came from, and when itwas downloaded. This virtually invisible mark is called a watermark. Theprocess of placing hidden or transparent marks within content iscommonly referred to as watermarking and is also called Stenography. TheWatermark step 350 places such a watermark within a stream of data thatis delivered between the source of the data, for example a customer site270 and the user's device 115. The watermark cannot be removed ormodified from the digital content without corrupting the digitalcontent. In one embodiment, the watermark may be the consumer's ID thatpositively identifies the consumer. The consumer's ID, as describedabove, may be in the form of a digital certificate that has been issuedto the user device 115, a signed transactional ID, a device or playerserial number, or other unique ID. If necessary, the consumer's ID maypoint to the consumer's credit card information that is kept in thetransaction database 214.

In one embodiment, the consumer's ID number is the digital certificate'sserial number or digital certificate's ID number. Further embodimentsinclude using as a watermark a unique transactional ID that can belinked via a transactional database back to the consumer who downloadedthe content. The transactional database 214 may contain information thatprovides a record of all content downloaded or transferred to a user.Individual fields in the transactional database 214 may include a serialnumber of the user device 115 used to download the content, a networktrace-route showing the network connection used to reach the user, acredit card number for the user, a digital certificate, a digitallysigned message authenticating that the user's private key was used tosign the message, or other user information.

In another embodiment, the Watermark step 350 may embed within awatermark a transactional ID rather than a serial number of a digitalcertificate. The content data may be transferred from a customer site270 to the user device 115, and the content data may have atransactional or consumer identification data added transparently to thecontent data when downloaded to the consumer or their player. An exampleof the transactional data added by the Watermark step 350 to the contentdata is illustrated by the case where a consumer's ID is added to thedata stream using one or more watermarking techniques. The content dataafter watermarking may optionally be encrypted using a public key orsession key known by the consumer or their player. Once content data isavailable for transmission in the form of a portion of the data stream,or the entire data stream, the Watermark step 350 may add the consumer'sID number that is associated with the user device's 115 digitalcertificate into the data stream as part of the entire watermark. Thewatermarking of the consumer's ID number to downloaded content will notimpair the content nor invalidate other watermarks already in thecontent, such as the identity of the content owner.

In one embodiment, watermarking may be performed by the Watermark step350 on virtually any digital data stream by appropriately switching ormodulating insignificant bits of information with a signal, for examplephase, amplitude, video blanking, or other signals, “on” or “off” insidethe data stream in such a way as not to be noticed by the consumer. Byknowing where the bits start and stop, the Watermark step 350 stringsthese bits together in order to create larger segments of data. Theresulting string of such data segments clearly identifies the user, alegally binding signed transactional log, or the user's player, computeror other devices. As the Transaction module 210 digitally signs thetransactional ID, a legally binding identification of the user isprovided, as the user's private encryption key must be used to completea transaction. The term “payload” refers to such string of charactersthat the Watermark step 350 may embed within a watermark.

The Watermark step 350 is accomplished for various media forms withoutdegrading the quality of the content. In the example of watermarkingmusic content, the Watermark step 350 sets certain insignificant “on”and “off” bits as the various sounds transition from one state toanother state. By using least significant bits (LSB) within the streamat points where these transitions are taking place, the user will not beable to discern any difference between a stream with a watermark and astream without a watermark. There are additional places where music maybe watermarked that are contemplated by this application. Industrystandard music watermarking technology may additionally be used.

In the example of watermarking video content, there are moreopportunities for the Watermark step 350 to embed “on” and “off” bits ormodulated data within a video stream than there are within an audiostream. There are certain unused spaces within the video stream wherethe Watermark step 350 may carefully place “on” and “off” bits. There isalso an opportunity to place “on” and “off” bits within numerous LSBs ofthe video stream so the consumer will not be able to discern anydifference. There are additional ways to embed watermarks in a videostream that are contemplated by this application. Industry standardvideo watermarking technology may be used by this invention.

In the example of watermarking software content, watermarking may besimpler than either music or video content. A software publisher mayreserve an area where the Watermark step 350 may inject such a watermarkinto the data stream without effecting the performance of the software.The software publisher may also identify areas within the data streamthat will not cause any harm to the performance of the software program.Additionally, even without the publisher's assistance, it may bepossible for the Watermark step 350 to locate areas that are availablewithin the stream of software data in order to place either bits orbytes of information. There are additional ways to embed bits or bytesinto a software stream that are contemplated by this application.Industry standard software watermarking technology or encryptedcopyright notices may be used by this invention.

In the example of watermarking literary content, adding a watermark tobook information is different than adding a watermark to music, video,or a software data stream. Within a book, it may be best for theWatermark step 350 to add or subtract a small amount of space betweencertain letters that are printed in the book. Adding a little more spacebetween one carefully chosen letter and the next contiguous letter maybe interpreted as being an “on” bit, whereas not having the extra spacebetween one carefully chosen letter and the next contiguous letter maybe interpreted as being an “off” bit. By knowing where to start and end,it may be possible to create a software program that scans the pages ofa book and produces an ID number that is associated with the consumer'sdigital certificate. There are additional ways to embed “on” and “off”bits between letters of a book that are contemplated by thisapplication. Industry standard electronic book watermarking technologymay be used by this invention.

By the Watermark step 350 redundantly adding such “on” and “off” bitsthroughout the stream and by encrypting these “on” and “off” bits, it isanticipated that it will be very difficult for unauthorized persons tobuild a mechanism that can remove this digital certificate IDinformation from the stream of data, whether the stream contains music,video, software, multi-media, printed material, or other media content.

The watermarking operations of the Watermark step 350 may be used withother security technologies that are typically referred to as DRM(Digital Rights Management) models. DRM models are typically systemsthat use passwords, keys, smart cards, wands, tickets, licenses, orother independent mechanisms that will unlock a content file. Forexample, Microsoft Corporation uses a DRM model when it distributes manyof its programming languages. With a DRM model, if the user does nothave the proper license for the programming language or system installedon the hard drive, then the programming language or system will not run.DRM models work similarly with content files. The content file by itselfis not enough to play or view the content. An external mechanism such asa license or a password, for example, must be used in coordination orcombination with the content file in order to play or view the contentfile.

An embodiment of the Watermark step 350 will enhance these DRM models.The combination of DRM and watermarking with digital certificates mayinclude the following operations:

1) Issuing a digital certificate for a single content item and storingit in a database.

2) Storing at the database a clear text id, or a user (person or devicedownloading content) signed text id/message used for authenticationpurposes.

3) Watermarking the content using the serial number of the digitalcertificate that was issued, or a signed transactional id for thistransaction.

4) Encrypting by the DRM system of the watermarked content file anddownloading this encrypted file to the user.

A DRM model may easily create an encrypted version of the watermarkedcontent data. This may include the following:

1) Watermarking the content file using either the serial number for adigital certificate (signed or unsigned) or a private key signedtransactional id. In fact, the user identification for the DRM systemuser may be watermarked into the content data at this point in additionto, or instead of the digital certificate serial, digital certificateserial number or transactional ID.

2) Encrypting the content file inside a DRM enclosure.

3) Delivering the content to consumer.

4) Unlocking the DRM enclosure by the user using the correct DRMdecryption key.

5) Playing the content file, however a watermark still exists within thecontent file.

6) Positively identifying a user should such a hacker decide to hack thesignals and pass the decrypted content data in an unauthorized manner.

Typically the user will have the appropriate key to unlock a DRMenclosure. The key to unlock the encrypted DRM data may be a read-onlyfile, a password, a hardware device such as a decryption key dongle, orother external device or file that works to initiate the decryptionprocess of a DRM content file. In the case where the user does not havean appropriate key for the DRM content file, then the content filecannot be successfully played. If the user does have an appropriate key,however, and the user passes the DRM content file to another personwithout the appropriate key, then only the original user maysuccessfully play the DRM content file. The new person will not be ableto successfully play the DRM content file in this situation.

Watermarks within content data may contain other fields besides digitalcertificate ID. For example, the “Date Content Is Downloaded” may beadded by the Watermark step 350 to the content data stream along withthe digital certificate ID. Other important fields may additionally beadded within the watermark and is contemplated by this application.

In another embodiment, the Watermark step 350 may embed a transactionalID in a watermark. A transactional ID is a code or string of charactersused as the payload of a watermark rather than the serial number of adigital certificate. An example of a watermark with a transactional IDmay include:

1) A unique hash that will authenticate the transactional ID. Such ahash may prevent invalid transactional IDs from being mistaken forauthentic ones.

2) A CRC (cyclical redundancy check) to authenticate the transactionalID.

3) A signature using a private key that is either stored inside the userdevice 115 or at the Certification Authority 260.

4) A transactional ID number generated using the following operations:

a) The user registers with a Certificate Authority (CA) 260 and obtainsa public/private key pair from the CA, trusted authority, bank, creditcard provider, or other respected institution.

b) When the user requests to download digital content, a transactionalserial number, string or unique identifying message may be sent from thecustomer site 270 download site to the user's computer or player device.

c) The user's computer or player device will sign the transactional IDusing the user's private key. The private key was issued in step ‘a’above or is a key or serial number embedded in a computer or playerdevice and the embedded key or player serial number is registered with aCA recognized by the content download site.

d) The content download site may use the user's public key and verifythe signed transactional ID before allowing the transfer to occur.

e) The customer site 270 may add additional information to the signedtransaction ID to a content provider database that will help to validatethat the user is actually the person who downloaded the content. Thisinformation may include network trace-route information, a serial numberof a computer or player device used to download the content, networkgateway routing information, Internet to cable modem gateway, Internetto broadband router, gateway routing information that identifies theuser as a subscriber on a particular cellular telephone device, a cablemodem system, or other digital networked system. This networktrace-route information may also be added transparently to the digitalcontent using industry standard watermarking techniques.

f) The signed transactional ID may be transparently added to the digitalcontent using watermarking technology before or during the download tothe user.

In the case of a transaction ID, the electronic signing of thetransaction ID above is replaced by logging transactions as they takeplace. By hashing the transaction ID, providing a CRC check, orotherwise authenticating the process for the transaction ID, thetransaction ID may thereby be authenticated in a way similar toelectronically signing a digital certificate.

As a further example, a cellular telephone device may have a uniqueserial number such that when the cellular telephone is used to downloadcontent the cellular phone's serial number may be used to verify thatthe user/device is authorized for content downloading. As disclosed bythis application, an additional stage is taken for the use of a deviceserial number to identify a user, which is the linking of an encryptionkey for the device to the serial number of the device. This linking maybe performed in a player device, such that the player device may beissued a public/private key pair, or the storage by the cellulartelephone provider, or Internet to cellular network gateway of a linkfrom the cellular telephone's serial number to a public/private key pairor digital certificate for this telephone device. Not only is thisuseful with cellular telephones, but the technology may be applied toany device that contains a unique serial number, for example PDA's,cable/dsl/pstn modems, web TVs, Internet appliances, MP3 players,computers, or other devices that may directly or indirectly accessdigital content.

Along with the digital certificate serial number, or in place of thedigital certificate serial number, another string of bytes may beincluded within the watermark. This additional string of bytes may be aclear text message that is known to the customer site 270 B2C partner.One example of such a clear text message that is known to the customersite 270 B2C partner is the actual serial number itself. Other cleartext strings may be used and are contemplated by this application. Theseother strings of bytes may then be encrypted with the user's private keyand stored in an encrypted fashion along with the digital certificateserial number within the watermark.

In one embodiment, this additional encrypted string of clear textcharacters known by the customer site 270 B2C partner provides furtherproof that the user was responsible for the content downloadtransaction. The customer site 270 B2C partner, regardless of whichserver or system is used, must store the actual digital certificate, theconsumer's public key, and a predetermined clear text string that willbe used to further prove the authenticity of the digital certificateserial number, as well as the fact that the consumer is ultimatelyresponsible for the content download. This predetermined clear textmessage may instead include a plurality of other authentication methodsto verify the validity of the digital certificate serial number.

In a further embodiment, the serial number within the watermark may beauthenticated by the following operations:

1) Generating a new and unique digital certificate or transaction IDserial number

2) Encrypting a unique serial number for this new digital certificate ortransaction ID using the user's private key

3) Embedding this encrypted serial number with the digital content usingwatermarking technology

4) Keeping this encrypted serial number and the user's public key in adatabase at the Certification Authority 260

5) Keeping the original (decrypted) serial number also in the databaseat the Certification Authority 260

6) Retrieving the encrypted serial number from within the watermark forexamination

7) Contacting the Certification Authority 260 and passing it theencrypted serial number

8) The Certification Authority 260 finding a match for the encryptedserial number and retrieving the user's public key.

9) The Certification Authority 260 decrypting the serial number

10) Completing authentication of the serial number by verifying that thedecrypted serial number yields characters that are consistent with anauthentic serial number and the decrypted serial number matches theoriginal serial number kept in the database of the CertificationAuthority 260

11) The Certification Authority 260 determining which customer site 270B2C partner issued the digital certificate

12) The Certification Authority 260 retrieving the remaining data, ifany, pertaining to the digital certificate from the customer site 270

In a further embodiment, to increase the security provided by thewatermark by making the hacking of invalid watermarks more difficult,several additional operations may be included with the techniquedescribed above. For example, multiple watermarks with differentpayloads may be included, watermarks may be placed at random placeswithin each content file, watermarks may be of variable length, the samewatermark may be placed in multiple locations within the same contentfile, or other ways of thwarting hacking may be included within thecontemplation of this application. Depending on the requirements of themedia rights owners and the distributors of media content, some or allof the watermarking features and capabilities described above, or otherfeatures and capabilities, may need to be employed to thwart hackers andstill perform all of the necessary ALAM module 220 operations.

In a further embodiment, a media content physical copy has two or morewatermarks within the content. An example of using multiple watermarksincludes one serial number being the master serial number and a secondserial number being the physical copy serial number. In anotherembodiment, the second serial number takes the place of the serialnumber for the master copy. In this embodiment, the physical copy serialnumber refers to the master copy digital certificate as being a “child”or subordinate certificate. Another embodiment includes adding threewatermarks to the downloaded content, including a copyright mark beingwatermarked into the digital content along with the digital certificatenumber for the user downloading the content, as well as the ID numberfor the customer site 270, for example a content source or contentdistributor.

The Transaction module 210 process includes a Transfer Content to Userstep 360. Once the consumer is granted the authorization to downloadcertain content materials, the content materials now accessible to theconsumer is updated in the archive server 240. The transaction database214 may thus hold the actual transactions that have taken place for theconsumer and the archive server 240 may hold either the pointer to thephysical content or the physical content itself. As one skilled in theart will recognize, the transactional database 214 and archive database244 may be located on the same computer or system, or distributed acrossvarious or multiple computers or systems. In one embodiment, the pointerto the data may be a pointer to the physical data that resides with thecustomer sites 270. In another embodiment, a number or string ofcharacters that uniquely identify the content ordered by the consumermay be used rather than a pointer to the content data. When the contentmaterial is to be downloaded to the user, the archive server 240 may beaccessed in order to get a pointer to the physical data, oralternatively to locate the physical data on the storage facilitieswithin the archive server 240.

A consumer may direct the data stream away from one device and towardanother device at the user's request, thereby allowing the consumer toplay content material while leaving one physical location and enteringanother. For example, a consumer may request a download of music whilein the home. Before the particular music content has completed playing,the consumer may decide to leave the home and begin to drive in the car.In addition, before the music content has completed playing, theconsumer may next arrive at a work location.

The stream of music may initially be directed to a device within theconsumer's home. When the consumer realizes that they will be enteringthe car, the consumer may contact the content distribution system 200 orcustomer site 270 and request that the data feed be directed toward acar radio with wireless download capability. Before arriving at the worklocation, the consumer may likewise request that the data feed bedirected to a PC at work. In this way, since this content distributionsystem 200 streams data to user devices 115, it is possible to switchdevice addressing, and even encryption methods, as the consumer travelsfrom one physical location to another.

In a further embodiment, more download servers than just those describedabove may exist. In many cases, these servers will be heavily loadedwith download requests. It is within the contemplation of thisapplication to distribute the load over a bank of servers that may existat different physical locations all over the world. This method ofdistributing servers is often referred to as Load Balancing and is inwidespread practice in the industry.

Another example of accomplishing Load Balancing is to use a method suchas the popular Hot Line system. Hot Line has a network of both serversand clients that are distributed among thousands or potentially evenmillions of users. In this system, all clients must connect to a server,after which the client may find the files that are available fordownloading, and possibly download one or more of these files. Theclient may then connect to another server within this Hot Line Networkin order to find and download more files. The servers may likewiseconnect to both clients and other servers to find files that areavailable for download, and then download one or more of these files.

A further example of accomplishing Load Balancing is to use apeer-to-peer system, which inherently accomplishes Load Balancing. It iscontemplated by this application that there are or may be additionalexample of Load Balancing systems in the industry.

The above Load Balancing systems may include a server or other webconnection that monitors download activity to make sure that contentdownloading is being distributed properly and the consumer is paying thecorrect amount for each download. Such client/server or peer-to-peersystems should be monitored carefully in order to maintain integrity,security, proper accounting, and authenticity of the downloaded datastreams.

FIG. 4 is a diagram of a typical watermark. The contents of a watermarkmay include a string of characters divided into fields within thestring. These fields are as follows:

1) Payload Version Number 410

2) B2C partner ID 420

3) Transactional ID 430

4) B2C Hash code (derived from 1-3) using B2C partner's private key 440

5) Payload Hash code (derived from 1-4) using user's private key 450

FIG. 5 is a flowchart of a process of embedding a watermark in mediacontent data performed by the ALAM module 220 of FIG. 2. Each of theblocks of FIG. 5 represents a series of actions or steps. These stepscan be carried out by the ALAM module 220 and/or can be carried out bysub-modules within the ALAM module 220 with each block representing oneof those sub-modules. Alternatively, various modules of the contentdistribution system 200 can perform one or more of the steps depicted inFIG. 5.

The ALAM module 220 includes the steps for discovering and prosecutingcontent pirates, hackers or other inappropriate distributors of mediacontent. These steps may include:

1) Searching and downloading the content files from the Internet,Intranet or other publicly accessible network 510.

2) Locating and identifying the watermark 520.

3) Finding the digital certificate serial number 530.

4) Authenticate the serial number with both the Certification Authority260 and the customer site 270 B2C partner 540.

5) Decrypt the text string in the watermark using the user's public key550.

6) Determine pirate's identity and notify as appropriate 560.

7) Take appropriate action against the pirate 570.

8) Notify other users found with the content files on their own systems580.

FIG. 6 is a block diagram of a content distribution system 200 andcustomer site 270, for example a B2C partner system. In order to providebinding authentication as to ownership, the technology utilizes digitalcertificates issued by a Certificate Authority (CA) 260, which areinstalled on the consumer's user device 115. The CA 260 is owned andoperated by the creator of the content distribution system 200 since thedigital certificates being issued need only be trusted and validated byits customers. Once a digital certificate is generated for a user, alldigital content for that user is signed via watermarking using theuser's digital certificate.

Digital certificates are installed on the client workstations 115 usingsoftware supplied by the creator of the content distribution system 200.This is in the form of signed Java applets that send, receive andinstall digital certificates over a secure connection, which forcomparison purposes is similar to the functionality provided by theMicrosoft Internet Explorer and Netscape Navigator web browsers. Thecreator of the content distribution system 200 provides this clientcertificate software to eliminate the cross platform and user interfaceissues imposed by competing browsers, making the installation and use ofthis certificate technology transparent to the end user, the consumer.

Each digital certificate issued and each key used in watermarkingdigital content is stored in the content distribution system 200 masterdatabase 218. This master database 218 is used for tracking and auditingpurposes to identify digital content that is being illegally copied andshared. Ferret, robot or BOT technology supplied with the contentdistribution system 200 continually scans the Internet looking forcopies of digital content that was watermarked by the contentdistribution system 200. In the event an illegal copy is found, themaster database 218 contains information pointing to the originalpurchaser who is then contacted for potential legal action or collectionof the appropriate fees.

In this example of the system for installing digitally watermarkedcontent on a client workstation 115, the creator of the contentdistribution system 200 provides a turn-key system for companies wantingto use the technology in their own installation. This method distributesthe workload and infrastructure to the customer site 270, for example aB2C partner system, instead of being on a content distribution system200 site. Software and hardware associated with issuing certificates andwatermarking content exists solely at the customers site 270 with theexception of the master audit database 218, which resides at the contentdistribution system 200 site.

In this example, the transaction database 214 contains the masterdatabase 218 used by the content distribution system 200 to store eachcustomer certificate and each key used in watermarking digital content.All fields containing sensitive information, such as a customer name,certificate, or keys, are encrypted using a one-way hash algorithm toprevent hackers from obtaining proprietary information. The transactiondatabase 214 only accepts connections from the designated transactionservers 620, providing an additional layer of security. Each CA server640 supplied by the creator of the content distribution system 200 toits customers stores a copy of each transaction in the master database218 located at the content distribution system 200. The customercertificate data contains all of the fields used to create the originalcustomer certificate as well as the resulting certificate and publickey. The key data used for watermarking digital content is a separaterecord with date and time, content type, and content ID fields with akey pointing to the original certificate. The key data consists of an18-byte hash key created using the clients' digital certificate. Thishash key is used by the watermarking software as the key for theembedded watermark. The content distribution system 200 uses the storedkey value to determine who a key value belongs to when performingmonitoring and enforcement functions. It is anticipated that thedatabases will see a high volume of accesses, so high capacity serversare likely to be required.

Also in this example, due to the potentially high traffic anticipatedfor the databases, a transaction server 620 farm may be used todistribute the processing load. The transaction servers 620 in thisconfiguration use Windows Load Balancing Service (WLBS) 614 technologyfor distributing the workload and to provide a highly scaleable, lowcost environment. By using WLBS 614, additional transaction servers 620may be easily added or removed at will. Transactions may includeretrieving or storing certificates, keys and their associated data.Transactions containing sensitive data have the appropriate fieldsencrypted prior to storing in the database and will be decrypted afterretrieving from the database 214. The customer transaction servers 630only accept connections from the designated CA servers 640 based ontheir IP addresses, further isolating and securing them fromunauthorized outside access.

The Certificate Authority servers 640 in this example create and issuedigital certificates as well as generate watermark signature keys, whichare used as the key in the digital content watermarking process. The CAservers 640 use WLBS 614 technology for distributing the workload and toprovide a highly scaleable, low cost environment. By using WLBS 614,additional CA servers 640 may be added or removed at will. The CAservers 640 receive certificate and key generation requests using astandard application program interface (API) from the customer's B2Cserver 650 supplied by the creator of the content distribution system200. The CA server 640 then generates either a new certificate or a newsigned watermark key. The new certificate or key is then returned to theB2C server 650 using the same API.

The CA 260 in this example uses the Microsoft PKI Cryptographic ServiceProvider (CSP) software, which is provided as part of the base operatingsystem in Windows 2000 Server. The number of certificates issued on aparticular CA 260 is virtually unlimited based on the amount ofavailable disk space. Each new certificate uses approximately 1 k bytesin the Windows 2000 Registry, leaving room for millions of certificatesin each CA 260 server. As a certificate is created, the resultingcertificate and the data used to create it are stored in the masterdatabase 218 by passing the data as a transaction to the customertransaction server 630. All fields containing sensitive information suchas a customer name, certificate, key, etc are encrypted on thetransaction server 620 using a one-way hash algorithm to prevent hackersfrom obtaining proprietary information. The CA servers 640 only acceptconnections from the designated B2C servers 650, thereby providing anadditional layer of security.

The B2C server 650 in this example would typically be a customer'sexisting web or content server currently used to distribute digitalcontent without the content distribution system 200 watermark. Either aDLL or LIB containing the Watermarking API is installed on the B2Cserver 650, allowing the customer to easily modify their existingsoftware to call the certificate and watermarking functions provided bythe content distribution system 200. In a Windows NT environment, theDLL will be an ActiveX component callable from any ActiveX-awareapplication such as IIS. On the Unix or Linux platforms, a LIB file willbe used. The DLL or LIB contains API calls for creating, installing andretrieving digital certificates between the CA server 640 and a clientworkstation 115 as well as watermarking digital content files. The B2Cserver 650 interacts with a Java applet running on the clientworkstation 115 using the content distribution system 200 API functions.

The client workstations 115 in this example instantiate a Java appletthat acts as a client/server process. The applet is signed so it canoperate outside the Java sandbox, giving it access to low level Windowsand Unix/Linux functions. The applet accepts requests from the B2Cserver 650 using the content distribution system 200 API for installingand retrieving certificates. The applet only accepts requests from theoriginating B2C server 650, thereby preventing malicious hackers fromaccessing the client workstation.

In the case of the client workstation 115 being a PDA type device, not aPC, the communications method and certificate storage and retrieval aredifferent. The non-PC device is considered as not having any permanentlocal storage available to it, and must have some form of uniqueidentifier, similar to a NIC MAC address, that can be transmitted to theB2C server 650 for authentication. The certificate information is storedon the CA server 640 database. Functions that would normally store andretrieve a certificate from a PC are instead simulated using the deviceid as the key, and stored or retrieved from the CA server 640 database.It is preferable, though not mandatory, that the device be capable ofeither SSL connections to retrieve the device ID, or be able to executean RC2 (block) symmetric encryption algorithm to retrieve the device IDover an unsecured connection.

FIG. 7 is a block diagram of a content distribution system 200 andcustomer site 270, which operates in a similar fashion to the example inFIG. 6 above but the Certificate Authority server 730 is now located atthe customer site 270. In this example, the creator of the contentdistribution system 200 provides the Certificate Authority server 730for issuing and signing digital certificates, but all content iswatermarked at the customer site 270 and only the watermarking softwareis installed at the customer site 270. As certificates are required, thesupplied software installed at the customer site 270 contacts thecontent distribution system 200 CA server 730 and requests a newcertificate or generates a signed key for an existing certificate. A newcertificate is then installed on the client workstation 115 using thecustomer B2C server 740 and a Java applet running on the clientworkstation 115. For a new digitally signed watermark key, the customersB2C server 740 receives the watermark key from the content distributionsystem 200 CA server 730 and watermarks the content file before sendingit to the clients workstation 115.

In this example, the database server 710 contains the master database218 used by the content distribution system 200 to store each customercertificate and each key used in watermarking digital content. Allfields containing sensitive information, for example a customer name,certificate, or key is encrypted using a one-way hash algorithm toprevent hackers from obtaining proprietary information. The databaseserver 710 only accepts connections from the designated transactionservers 720, providing an additional layer of security. Each CA server730, which may be supplied by the creator of the content distributionsystem 200 to its customers, stores a copy of each transaction in themaster database 218. The customer certificate data contains all of thefields used to create the original customer certificate as well as theresulting certificate and public key. The key data used for watermarkingdigital content is a separate record with date and time, content type,or content ID fields with a key that points to the original certificate.The key data consists of an 18-byte hash key created using the clientdigital certificate. This hash key is used by the watermarking softwareas the key for the embedded watermark. The content distribution system200 uses the stored key value to determine who a key value belongs towhen performing monitoring and enforcement functions. It is anticipatedthat the database will see a high volume of accesses, so high capacityservers are likely required.

In this example, due to the potentially high traffic anticipated for thedatabase, a transaction server 720 farm is used to distribute theprocessing load. The transaction servers use the Windows Load BalancingService (WLBS) 714 technology for distributing the workload and toprovide a highly scaleable, low cost environment. By using WLBS 714,additional transaction servers may be easily added or removed at will.Transactions may include retrieving or storing certificates, keys andtheir associated data. Transactions containing sensitive data have theappropriate fields encrypted prior to storing in the database and aredecrypted after retrieving from the database. The transaction servers720 only accept connections from the designated CA servers 730, based ontheir IP addresses, further isolating and securing them fromunauthorized outside access.

The Certificate Authority servers 730 create and issue digitalcertificates as well as generate watermark signature keys, which areused as the key in the digital content watermarking process. The CAservers 730 use WLBS 714 technology for distributing the workload and toprovide a highly scaleable, low cost environment. By using WLBS 714,additional CA servers 730 may be added or removed at will. The CAservers 730 receive certificate and key generation requests using anapplication program interface (API), supplied by the creator of thecontent distribution system 200, from the customer B2C server 740. TheCA servers 730 generate either a new certificate or a new signedwatermark key. The new certificate or key is then returned to the B2Cserver 740 using the same API supplied by creator of the contentdistribution system 200.

The CA 260 uses the Microsoft PKI Cryptographic Service Provider (CSP)software, which is provided as part of the base operating system inWindows 2000 Server. The number of certificates issued on a particularCA 260 is virtually unlimited based on the amount of available diskspace. Each new certificate uses approximately 1 k bytes in the Windows2000 Registry, leaving room for millions of certificates in each CAserver 730. As a certificate is created, the resulting certificate andthe data used to create it are stored in the master database 218 bypassing the data as a transaction to the transaction server 720. Allfields containing sensitive information, for example a customer name,certificate, or key, are encrypted on the transaction server 720 using aone-way hash algorithm to prevent hackers from obtaining proprietaryinformation. The CA servers 730 only accept connections from thedesignated B2C servers 740, providing an additional layer of security.

The B2C server 740 typically is a customer's existing web or contentserver they currently use to distribute digital content without thecontent distribution system 200 watermark technology. Either a DLL orLIB containing the Watermarking API is installed on the B2C server 740,allowing the customer to easily modify their existing software to callthe content distribution system 200 certificate 320 and watermarking 350modules. In an NT environment, the DLL may be an ActiveX componentcallable from any ActiveX aware application such as IIS. On the Unix orLinux platforms, a LIB file may be used. The DLL or LIB contains APIcalls for creating, installing and retrieving digital certificatesbetween the CA server 730 and a client workstation 115, as well aswatermarking digital content files. The B2C server 740 interacts with aJava applet running on the client workstation 115 using the contentdistribution system 200 API functions.

The client workstations 115 in this example instantiate a Java appletthat acts as a client/server process. The applet is signed so it canoperate outside the Java “sandbox”, giving it access to low levelWindows and Unix/Linux functions. The applet accepts requests from theB2C server 740 using the content distribution system 200 API forinstalling and retrieving certificates. The applet only accepts requestsfrom the originating B2C server 740, preventing malicious hackers fromaccessing the client workstation 115.

In the case of the client workstation 115 being a PDA type deviceinstead of a PC, the communications method and certificate storage andretrieval is different. The non-PC device is considered as not havingany permanent local storage available to it, and must have some form ofunique identifier, similar to a NIC MAC address, that can be transmittedto the B2C server 740 for authentication. The certificate information isstored on the CA servers 730 database. Functions that would normallystore and retrieve a certificate from a PC instead are simulated, usingthe device ID as the key, and stored or retrieved from the CA server 730database. It is preferable, though not mandatory, that the device becapable of either SSL connections to retrieve the device ID, or becapable of executing an RC2 (block) symmetric encryption algorithm toretrieve the device ID over an unsecured connection.

The benefits of a content distribution system 200 as described hereinmay be summarized to include the following:

1) The customer sites 270 are able to authenticate the consumer beforethe stream of content data is transmitted

2) The customer sites 270 are free to choose any file type or formatdesired. In other words, such a Content VPN does not prefer any one dataformat over any other.

3) The customer sites 270 may make sure the consumer has paid for thecontent before it is downloaded

4) The customer sites 270 may detect and prosecute consumers who havestolen valuable content. The detection and prosecution functions may beperformed in an automated fashion.

5) Customer sites 270 are using standardized, well recognized and wellregarded digital certificates in accordance with the X.509 protocol

6) Valuable statistics may be gathered and reported on a regular basis.One form for reporting is to provide these statistics over the Internet.

7) Access providers may freely distribute content data knowing thatpiracy detection and protection functions exist

8) Access providers are able to select the specific devices theycommunicate with. For example, cable providers may send the streamdirectly to set-top boxes, or wireless providers may send the streamdirectly to wireless devices. There is no interference with or hindranceto the normal operation of these devices. The data is simply a streambeing passed between the customer site 270 and the user device 115 viathe provider of the connection.

9) The consumer may stream, send via FTP, or otherwise copy the contentthat has been previously paid for as many times as desired. For example,the consumer may request that the stream be directed to a car radio thatuses mobile phone technology every morning at the same time.

10) The consumer may play the content on all of the devices previouslydefined as belonging to them. Therefore, for example, the consumer mayplay the content on their PC, TV set, laptop computer, CD player, DVDplayer, or even a neighbor's CD player. As long as these devices haveall been registered, the content will play on each of these devices.However, no other devices will be able to decrypt and play this content.

The consumer may select when, how, and which selections will bedownloaded. The consumer may indicate the file format because the formatof the data is not of concern to such a Content VPN.

The above description of the disclosed embodiments is provided to enableany person skilled in the art to make or use the invention. Variousmodifications to these embodiments will be readily apparent to thoseskilled in the art, and the generic principles described herein can beapplied to other embodiments without departing from the spirit or scopeof the invention. Thus, it is to be understood that the description anddrawings presented herein represent a presently preferred embodiment ofthe invention and are therefore representative of the subject matterwhich is broadly contemplated by the present invention. It is furtherunderstood that the scope of the present invention fully encompassesother embodiments that may become obvious to those skilled in the artand that the scope of the present invention is accordingly limited bynothing other than the appended claims.

1. A system for network-based content distribution comprising: aninterface module configured to interface with a network; a transactionmodule coupled to said interface module and configured to initialize atransaction with a user, authenticate the identity of a user and obtaina digital certificate related to said user, search for content desiredby said user, implement a payment transaction, obtain a watermarkrelated to said user, and transfer content selected to said user andinsert said watermark into said content; a transaction databaseconfigured to store information related to transactions carried out bysaid transaction module; an archive database configured to store contentselected by users; and a certification authority configured toauthenticate users.
 2. A method for distributing content over a network,the method comprising: initializing a transaction with a user;authenticating the digital certificate of a user; allowing a user tosearch for and select content to be downloaded; generating a watermarkrelating to the content to be downloaded, the source of the content andthe identity of the user; and inserting said watermark into saidcontent.
 3. A method for verifying, searching for and identifyingcontent accessible over a network, the method comprising: identifyingfiles accessible over the network; for each such file, searching forcontent including a watermark related to the source of the content andthe identification of the authorized user of the content; anddetermining whether the present location of said content with saidwatermark is in an authorized location.